Re: [mod-security-users] Output Filters with mod_jk2

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello Ryan,

thanks for your answer. Please see my qutoes below.

Thank you!
-mark

Ryan Barnett wrote:
> Take a look at your debug output.  It is catching the 404 text string in
> the html body of the response and not the HTTP headers.  The quick
> answer to your situation is that the output filtering of mod_security
> looks at the body of the response and not the HTTP header info. 

OK, but am I right when thinking that there is no difference between the
two requests in the log regarding output filtering? In both cases the
string is matched in the body (which is sufficient for me in this
situation). But for the second request, the error page is not delivered.
If we found a way to deliver that error page correctly, everything would
be great.

What do you think about the idea "...Maybe it is about communication
betwenn apache and mod_jk, where modsecurity is not involved"."? Could
that be a possible problem?

> One thing that you could try would be to use proxying of some sort with
> Apache.  I found that when you use the proxy module, mod_security will
> look at the entire response (headers + body).

thanks for your suggestion. I think filtering with the upcoming
proxy_ajp module could be working without a problem, but for now we
cannot switch to mod_proxy because we need those load balancing features
that mod_jk2 offers. I tested it with mod_proxy, and as you mentioned,
there was no problem. Within the other pages (some are served with
mod_proxy) output filtering is fine.

> Give it a try and let me know.
>  
> -- 
> Ryan C. Barnett
> Web Application Security Consortium (WASC) Member
> CIS Apache Benchmark Project Lead
> SANS Instructor: Securing Apache
> GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
> 
>  
> On 9/2/05, *marks mlists* <ml...@ms... <mailto:ml...@ms...>> wrote:
> 
>     The only difference between the tomcat 404 and the webpage containing
>     exactly the same html code I can see is:
> 
>     1. There is a trailing NULL at the end of the created webpage
>     2. The header sent by tomcat. When accessing the file, tomcat sends
> 
>     HTTP/1.1 200 OK
>     ETag: W/"996-1125649082000"
>     Last-Modified: Fri, 02 Sep 2005 08:18:02 GMT
>     Content-Type: text/html
>     Content-Length: 996
>     Date: Fri, 02 Sep 2005 09:04:44 GMT
>     Server: Apache-Coyote/1.1
>     Connection: close
> 
>     and after removing the file tomcat outputs
> 
>     HTTP/1.1 404 /fpi/testi.html
>     Content-Type: text/html;charset=utf-8
>     Content-Length: 997
>     Date: Fri, 02 Sep 2005 09:05:55 GMT
>     Server: Apache-Coyote/1.1
>     Connection: close
> 
>     Thanks in advance!
>     -mark
> 